Setup Dovecot with PAM authentication and SSL on CentOS

mail_server_authDovecot will act as the IMAP server for this setup. If you need POP3, this can also be provided by dovecot, but in this article I’m just going to show how to setup IMAP with SSL to protect the transfer of emails.

Installation

The following command will install Dovecot from the yum repository.

yum -y install dovecot

Installing Dovecot also installs a default set of configuration. The current configuration elements that are not set to the default settings can be shown with the following command.

$ doveconf -n

In the default configuration from the yum repository this will return a something similar to this.

# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-358.18.1.el6.x86_64 x86_64 CentOS release 6.4 (Final)
mbox_write_locks = fcntl
passdb {
driver = pam
}
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
driver = passwd
}

Configure Dovecot

The configuration of Dovecot is separated into different configuration files. The initial configuration file that is loaded by Dovecot is the /etc/dovecot/dovecot.conf file. This configuration file loads additional configuration with the include statement you will find near the end of the file.

!include conf.d/*.conf

This causes the files in the conf.d/ subdirectory to be loaded. The first file loaded will be the file /etc/dovecot/conf.d/10-auth.conf which will include the file /etc/dovecot/conf.d/auth-system.conf.ext file.

Authentication

For this setup the passdb needs to be set to “pam” as this is the authentication service we are going to configure. Edit the /etc/dovecot/conf.d/auth-system.conf.ext file and make sure that the “passdb” line and the following “driver = pam” is uncommented as well as the line with the closing brackets. The uncommented passdb section should look like this.

passdb {
driver = pam
# [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=]
# [cache_key=] []
#args = Dovecot
}

With this configured, every Linux account is allowed to log in to Dovecot, but you might not want to allow all shell accounts to login to Dovecot. The idea is to allow only users that are members of a specific group.

The PAM module shows a configuration file related to the Cyrus sasl authentication. The following line needs to be added at the top of the /etc/pam.d/dovecot file.

auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/pam.d/mail_auth_group.allow

For a detailed explanation of this PAM configuration please see my Setup Postfix with SMTP-AUTH and TLS on CentOS article.

Mailbox locations

As postfix supports different storage formats, this needs to be configured as well in the /etc/dovecot/conf.d/10-mail.conf file. Configure the following line to use mbox format using the subdirectory mail/ in the users home directory and the /var/mail/[username] for the INBOX.

mail_location = mbox:~/mail:INBOX=/var/mail/%u

Additionally to allow dovecot to access the mailbox files, change this configuration item in the /etc/dovecot/conf.d/10-mail.conf file as well.

mail_access_groups = mail

SSL/TLS

The file /etc/dovecot/conf.d/10-ssl.conf contains the configuration to secure the communication between the MUA and Dovecot. To enable the SSL functionality open the 10-ssl.conf and uncomment / set the following setting. This will mean you can only connect using SSL.

ssl = required

Additionaly you will need to provide a certificate and key file. If you need a certificate consider CACert and StartSSL as they provide free certificates that can be used for this purpose. The certificate and key file are also configured in the 10-ssl.conf by specifying the files in the following two options.

ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

Enable Protocols

The different protocols supported by dovecot need to be enabled in the /etc/dovecot/dovecot.conf by uncommenting the following line. I decided to enable only IMAP via SSL to access the mailboxes. Other possible protocols include imap, imaps, pop3 and pop3s.

protocols = imap

Apply Configuration

After the configuration changes we need to restart dovecot to load the changed configuration.

$ /etc/init.d/dovecot restart

Check the startup configuration as you might want this service to start at boot time. This can be done via the following command.

$ chkconfig dovecot on 

Test the SMTP authentication

To test the IMAP setup, connec tto dovecot with openssl (or telnet if you don’t use SSL)  as in the example below. Follow the example and type in the lines marked with “C: “. You should see a similar output (marked as “S: “) from the server as in the example. The output might look a little different depending on whether you already have an email in the inbox.

If you don’t want to type all these commands, you can also use my Mailserver-Test script which is a simple and small script that does all this for you.

$ openssl s_client -connect host.example.com:993
S: depth=0 /description=jlxxxxxxxxxxxx56/C=AT/ST=Wien/L=Vienna/O=John Doe/CN=*.example.com/emailAddress=webmaster@example.com
S: verify error:num=20:unable to get local issuer certificate
S: verify return:1
S: depth=0 /description=jlxxxxxxxxxxxx56/C=AT/ST=Wien/L=Vienna/O=John Doe/CN=*.example.com/emailAddress=webmaster@example.com
S: verify error:num=27:certificate not trusted
S: verify return:1
S: depth=0 /description=jlxxxxxxxxxxxx56/C=AT/ST=Wien/L=Vienna/O=John Doe/CN=*.example.com/emailAddress=webmaster@example.com
S: verify error:num=21:unable to verify the first certificate
S: verify return:1
S: CONNECTED(00000003)
S: ---
S: Certificate chain
S:  0 s:/description=jlxxxxxxxxxxxx56/C=AT/ST=Wien/L=Vienna/O=John Doe/CN=*.example.com/emailAddress=webmaster@example.com
S:    i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
S: ---
S: Server certificate
S: -----BEGIN CERTIFICATE-----
S: M1ha0jCCBrqgAwIG6e5DAUhwMA0GCSqGSIm7dVEBBQUAMIGMMQswCQYDVQQGEwJJ
...
S: nwYW7/SVwlNgnGT4SZbSIV90/QF7fNG5PBX3j0nXp/8tDx+uU0=
S: -----END CERTIFICATE-----
S: subject=/description=jlxxxxxxxxxxxx56/C=AT/ST=Wien/L=Vienna/O=John Doe/CN=*.example.com/emailAddress=webmaster@example.com
S: issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
S: ---
S: No client certificate CA names sent
S: ---
S: SSL handshake has read 2961 bytes and written 328 bytes
S: ---
S: New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
S: Server public key is 4096 bit
S: Secure Renegotiation IS supported
S: Compression: NONE
S: Expansion: NONE
S: SSL-Session:
S:     Protocol  : TLSv1
S:     Cipher    : DHE-RSA-AES256-SHA
S:     Session-ID: AE79XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX027
S:     Session-ID-ctx: 
S:     Master-Key: C8A4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX05AC
S:     Key-Arg   : None
S:     Start Time: 1382899496
S:     Timeout   : 300 (sec)
S:     Verify return code: 21 (unable to verify the first certificate)
S: ---
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready.
C: a1 LOGIN username password
S: a1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
C: a2 LIST "" "*"
S: * LIST (\NoInferiors \UnMarked) "/" "Trash"
S: * LIST (\NoInferiors \UnMarked) "/" "INBOX"
S: a2 OK List completed.
C: a3 EXAMINE INBOX
S: * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
S: * OK [PERMANENTFLAGS ()] Read-only mailbox.
S: * 2 EXISTS
S: * 0 RECENT
S: * OK [UIDVALIDITY 1382892464] UIDs valid
S: * OK [UIDNEXT 7] Predicted next UID
S: * OK [HIGHESTMODSEQ 1] Highest
S: a3 OK [READ-ONLY] Select completed.
C: a4 SELECT INBOX
S: * OK [CLOSED] Previous mailbox closed.
S: * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
S: * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
S: * 2 EXISTS
S: * 0 RECENT
S: * OK [UIDVALIDITY 1382892464] UIDs valid
S: * OK [UIDNEXT 7] Predicted next UID
S: * OK [HIGHESTMODSEQ 1] Highest
S: a4 OK [READ-WRITE] Select completed.
C: a5 FETCH 1 BODY[]
S: * 1 FETCH (BODY[] {377}
S: Message-ID: <5590658B.5906506@domain.com>
S: Date: Sun, 27 Oct 2013 18:42:35 +0100
S: From: Gerhard <recipient@domain.com>
S: MIME-Version: 1.0
S: To: John Doe <sender@example.com>
S: Subject: test
S: Content-Type: text/plain; charset=ISO-8859-1; format=flowed
S: Content-Transfer-Encoding: 7bit
S: 
S: This is a test mail. When finished enter a . (dot) in a single line.
S: 
S: )
S: a5 OK Fetch completed.
C: a6 LOGOUT
S: DONE

Read more of my posts on my blog at http://blog.tinned-software.net/.

This entry was posted in Mailserver and tagged , , , . Bookmark the permalink.